[00:12.760 --> 00:14.520]  Hello, Hapsek villagers.
[00:15.160 --> 00:18.960]  Welcome to the second year of Hapsek Village at DEF CON.
[00:19.260 --> 00:22.420]  Well, it says pause for cheering in my notes,
[00:22.420 --> 00:25.720]  but that's not going to work in safe mode, isn't it?
[00:26.020 --> 00:31.060]  So for those who do not know me, I'm Erez Yalon, the village mayor.
[00:31.060 --> 00:33.160]  I'm glad you could join us today.
[00:33.200 --> 00:37.400]  After years of participating in DEF CON and as an attendee,
[00:37.400 --> 00:41.080]  and then as part of some other villages,
[00:41.080 --> 00:45.000]  last year my dream of creating an Hapsek Village came true.
[00:45.020 --> 00:49.160]  Luckily, I had one person supporting my dream from the get-go.
[00:49.160 --> 00:51.580]  If you have not yet met my partner in crime,
[00:51.580 --> 00:55.080]  I encourage you to pop over to Discord and say hi to Leora,
[00:55.680 --> 00:57.420]  our Hapsek Village queen.
[00:57.700 --> 01:01.240]  She may not answer, as she is busy putting out fires,
[01:01.240 --> 01:02.600]  but it's worth a shot.
[01:03.800 --> 01:06.140]  Going virtual is full of challenges,
[01:06.140 --> 01:08.900]  but we did get a few things done right.
[01:08.900 --> 01:14.100]  One of those things was to bring Tiffany as our chief people herder.
[01:14.560 --> 01:18.300]  You will probably see the impact of her work throughout DEF CON.
[01:18.660 --> 01:23.880]  Interning to our leadership team in the role of Duke of Content is Joe Christian.
[01:23.960 --> 01:26.080]  Together with the CFP committee,
[01:26.080 --> 01:30.620]  he has put together a great lineup for you over the next three days.
[01:30.800 --> 01:36.000]  That lineup begins today with our keynote, Maddie Stone.
[01:36.000 --> 01:39.220]  Maddie is a security researcher at Google Project Zero.
[01:39.540 --> 01:41.940]  She likes to figure out how things work,
[01:41.940 --> 01:46.720]  from chips to software, and then break it.
[01:46.780 --> 01:51.240]  Her current focus is navigating the jungle of zero-day exploits.
[01:51.560 --> 01:55.040]  Please join me in welcoming Maddie Stone to the virtual stage
[01:55.040 --> 02:00.080]  with who's secure, who's not, and who makes that choice.
[02:03.640 --> 02:06.920]  Good morning, good afternoon, good day,
[02:06.920 --> 02:10.180]  since we're all in different time zones around the globe,
[02:10.180 --> 02:12.180]  I am so excited to be here.
[02:12.180 --> 02:15.640]  And I just want to say thank you to Ares and the whole APSEC village team
[02:15.640 --> 02:19.580]  for one, inviting me, and two, for putting on such a great event.
[02:20.000 --> 02:23.180]  And thank you for being here and joining me,
[02:23.180 --> 02:25.300]  as at least I hope some of you are here,
[02:25.300 --> 02:28.100]  since I am recording this all alone in my home,
[02:28.100 --> 02:31.520]  and I'm going to try to remember to look at the webcam.
[02:31.680 --> 02:33.080]  So let's get into it.
[02:33.080 --> 02:36.240]  My name is Maddie Stone, my pronouns are she and her,
[02:36.240 --> 02:39.200]  and I'm a security researcher on Google Project Zero,
[02:39.200 --> 02:42.040]  where I mainly focus on zero-day vulnerabilities
[02:42.040 --> 02:44.180]  that are exploited in the wild.
[02:44.360 --> 02:48.180]  But in other news, I also know every word to Hamilton,
[02:48.180 --> 02:52.180]  so I hope some of y'all picked up that the title of this talk
[02:52.180 --> 02:53.980]  is coming from the song,
[02:53.980 --> 02:58.400]  who lives, who dies, who tells their stories.
[02:58.940 --> 03:01.460]  So now this year, I've wrapped up Black Hat,
[03:01.460 --> 03:05.140]  sang here at APSEC village, and I think we're good to go.
[03:06.040 --> 03:09.320]  But getting back to the title of this talk,
[03:09.320 --> 03:13.360]  who's secure, who's not, and who makes that choice?
[03:13.760 --> 03:17.380]  Spoiler, who makes that choice? It's us.
[03:17.600 --> 03:21.080]  This talk has really been heavy on my heart a lot,
[03:21.080 --> 03:24.140]  and it really came from back at the end of May,
[03:24.140 --> 03:26.600]  here in the United States, George Floyd was murdered.
[03:26.600 --> 03:29.940]  And that came on the heel of Ahmaud Arbery and Breonna Taylor
[03:29.940 --> 03:31.800]  also being murdered.
[03:31.800 --> 03:34.920]  And it's been a real reckoning of the racism
[03:34.920 --> 03:37.680]  that prevails here in the United States,
[03:37.680 --> 03:40.540]  or at least I hope it's a reckoning.
[03:40.540 --> 03:43.100]  And for me, that's really prompted a lot of
[03:43.100 --> 03:45.520]  educating myself and figuring out
[03:45.520 --> 03:48.220]  what role have I played in racism,
[03:48.220 --> 03:52.780]  but how also, what role will I play in anti-racism
[03:52.780 --> 03:58.300]  and working to change this and address systemic racism across society.
[03:58.300 --> 04:01.000]  But it's also looking at and has brought attention to
[04:01.000 --> 04:03.680]  other marginalizations and inequities
[04:03.680 --> 04:06.340]  across populations across the globe.
[04:06.680 --> 04:08.820]  And so, when looking at this,
[04:08.820 --> 04:11.620]  I was reading books, listening to
[04:12.520 --> 04:14.740]  black voices and educators,
[04:14.740 --> 04:17.300]  donating money, going to protests,
[04:17.300 --> 04:19.860]  figuring out all these different ways to participate.
[04:19.920 --> 04:23.180]  But I think it was a really important one to also look inward of
[04:23.180 --> 04:26.300]  how might I contribute to either helping or harming
[04:26.300 --> 04:28.140]  through job 2.
[04:28.140 --> 04:31.120]  Especially with coronavirus, today everything
[04:31.120 --> 04:33.420]  is based on technology.
[04:33.420 --> 04:36.120]  To succeed, to participate in society,
[04:36.120 --> 04:38.840]  you have to be using technology.
[04:38.980 --> 04:42.320]  Schools are going online, work is going online,
[04:42.320 --> 04:43.920]  healthcare is going online.
[04:43.920 --> 04:46.960]  It's hard to buy devices nowadays that don't
[04:46.960 --> 04:50.360]  incorporate connections to the internet.
[04:50.480 --> 04:53.480]  So if that connection to the internet and using technology
[04:53.480 --> 04:57.260]  is not safe, secure, and private for all,
[04:57.260 --> 05:00.680]  then what type of effect does that have?
[05:00.680 --> 05:03.880]  How are we contributing if we are the ones
[05:03.880 --> 05:06.600]  who make all of those decisions about securing
[05:06.600 --> 05:08.260]  apps and devices?
[05:08.940 --> 05:11.140]  So I really started thinking about
[05:11.140 --> 05:14.040]  what is our role in the inequities
[05:14.040 --> 05:17.360]  in safe and secure access to technology?
[05:17.620 --> 05:20.060]  Because we are those decision makers.
[05:20.180 --> 05:22.300]  And as much as I would love there to be,
[05:22.300 --> 05:25.200]  I had to come to terms with the fact there is no neutral.
[05:25.200 --> 05:27.440]  There's only helping or harming.
[05:27.440 --> 05:30.160]  Because even if you're just helping one
[05:30.900 --> 05:34.060]  group of people and you try to believe there's
[05:34.060 --> 05:36.720]  no negative impacts to another,
[05:36.720 --> 05:40.900]  you're still broadening that gap if you're only helping one.
[05:40.940 --> 05:43.220]  And that contributes to more and more
[05:43.220 --> 05:46.000]  inequity. But the thing is,
[05:46.000 --> 05:49.080]  also, if we have the power to
[05:49.080 --> 05:52.640]  have caused and contributed to inequities,
[05:52.640 --> 05:55.660]  then that means we also have the power to address them.
[05:55.660 --> 05:59.220]  To create a more safe and secure society for all.
[05:59.260 --> 06:00.600]  And that can be exciting.
[06:00.960 --> 06:04.240]  So through this talk, I'm going to show some examples
[06:04.240 --> 06:06.940]  of where I think we in the security community
[06:08.460 --> 06:11.000]  have not served everyone.
[06:11.160 --> 06:13.860]  But I'm not using those negative examples
[06:13.860 --> 06:16.340]  to shame us or be like, no, no, no.
[06:16.400 --> 06:19.080]  In this example, all these people are bad.
[06:19.080 --> 06:22.040]  No, it's that, you know, really come to terms
[06:22.040 --> 06:25.060]  taking ownership for the decisions we make as a community
[06:25.700 --> 06:27.380]  and an industry.
[06:27.380 --> 06:30.920]  Because then we can see and address them so we can do better
[06:30.920 --> 06:33.560]  in the future. And we can do it together.
[06:34.380 --> 06:37.800]  So here's our first example. And it's topical.
[06:38.200 --> 06:40.100]  You know, come March when
[06:40.100 --> 06:43.020]  lockdowns and shelter in place started in a lot of places
[06:43.020 --> 06:46.300]  around the world, a lot of everything we did shifted
[06:46.300 --> 06:49.620]  to Zoom. And Zoom was listening as everyone was
[06:49.620 --> 06:52.700]  crying for, we need end-to-end encryption.
[06:53.180 --> 06:56.120]  You shouldn't be able to, you at Zoom,
[06:56.120 --> 06:58.140]  see the contents of the calls. And so
[06:58.140 --> 07:01.540]  Zoom listened. They got all excited and issued, you know,
[07:01.540 --> 07:04.140]  to the press, we will begin providing
[07:04.140 --> 07:07.400]  end-to-end encryption. But it will only be for the
[07:07.400 --> 07:10.360]  paid tier, for the paying customers only.
[07:10.820 --> 07:13.400]  And so it's only those
[07:13.400 --> 07:16.620]  who can pay and will pay are deserving
[07:16.620 --> 07:19.820]  of that end-to-end encryption protection.
[07:19.880 --> 07:22.320]  But it even went so far as to say
[07:22.320 --> 07:25.540]  the reason why it's only for paying customers is that they want to be
[07:25.540 --> 07:28.900]  able to work with law enforcement to catch bad actors.
[07:28.940 --> 07:31.520]  So that makes it even worse. Because isn't the
[07:31.520 --> 07:34.300]  meaning then of that is, hey, we think that
[07:34.300 --> 07:37.380]  only those who can't afford and won't
[07:37.380 --> 07:40.720]  pay for the paid version of Zoom,
[07:40.720 --> 07:43.500]  they're the only ones who could be bad actors and thus
[07:43.500 --> 07:46.160]  should be reported to law enforcement.
[07:46.640 --> 07:49.440]  And thus, we're then saying
[07:49.440 --> 07:52.800]  you can be safe, don't deserve to go to jail,
[07:52.800 --> 07:56.140]  you know, on and on if you're going to pay us.
[07:56.160 --> 07:59.320]  But otherwise, you don't deserve that protection.
[07:59.560 --> 08:01.920]  Thankfully, this was reversed thanks to
[08:01.920 --> 08:04.480]  outcry from the community as well as
[08:05.680 --> 08:07.920]  ACLU. But the fact that we got
[08:07.920 --> 08:09.180]  to this point.
[08:11.240 --> 08:14.840]  Now let's go back in time a little further.
[08:14.940 --> 08:18.560]  In October 2018 and March 2019,
[08:18.560 --> 08:20.260]  two 737 MAX
[08:20.260 --> 08:23.040]  Boeing airplanes crashed. One was from
[08:23.040 --> 08:26.200]  Lion Air, a budget Indonesian airline company.
[08:26.200 --> 08:29.120]  And the other was Ethiopian Air based in
[08:29.120 --> 08:31.880]  Ethiopia. And so there was a lot
[08:31.880 --> 08:35.440]  of press about how the cause of this was the MCAS system.
[08:35.440 --> 08:38.060]  A system put into these new jets that pilots
[08:38.060 --> 08:41.200]  hadn't been trained on. And using technology
[08:41.200 --> 08:44.000]  made a lot of decisions for the pilots such as when
[08:44.000 --> 08:47.500]  the nose should go down or up and things like that.
[08:47.980 --> 08:50.400]  But then it came out in this New York Times article
[08:50.400 --> 08:52.840]  that there were two actual
[08:53.380 --> 08:55.800]  extras that airlines could buy for their
[08:56.280 --> 08:59.360]  airplanes. And these two extras could have
[08:59.360 --> 09:02.020]  helped prevent the crashes
[09:02.020 --> 09:05.780]  potentially because they would alert the pilots
[09:05.780 --> 09:08.580]  when that MCAS system was acting up
[09:08.580 --> 09:11.760]  and that the sensors maybe shouldn't be trusted.
[09:11.760 --> 09:14.400]  And so those two features were the angle of attack
[09:14.400 --> 09:17.320]  indication and the angle of attack discreet light.
[09:17.880 --> 09:21.060]  But Boeing charged extra for them.
[09:24.230 --> 09:27.110]  Another example is single sign-on.
[09:27.110 --> 09:30.310]  So across our community, best practices,
[09:30.310 --> 09:32.750]  I think we all generally say that SSO
[09:32.750 --> 09:36.930]  is a critical part of securing enterprises.
[09:37.110 --> 09:38.930]  Single sign-on or SSO allows
[09:38.930 --> 09:42.250]  users to sign into many different tools
[09:42.250 --> 09:44.970]  using that same account.
[09:45.850 --> 09:47.990]  And so the reason why this is considered a best
[09:47.990 --> 09:50.970]  practice is then like the company who's buying
[09:50.970 --> 09:54.110]  these different tools and needs their employees to log in
[09:54.110 --> 09:56.950]  only has to track privileges and
[09:56.950 --> 09:59.810]  accesses on one account system
[09:59.810 --> 10:01.830]  and it prevents
[10:02.990 --> 10:05.930]  different password roles, potential repetition
[10:05.930 --> 10:08.710]  if the employees have to come up with all these different
[10:08.710 --> 10:11.930]  accounts and passwords. And it also is much easier
[10:11.930 --> 10:14.750]  to handle when an employee leaves. You don't have to remember
[10:14.750 --> 10:17.850]  to remove all of these different accesses. You only have to
[10:17.850 --> 10:21.250]  delete it in one place. So this website,
[10:21.250 --> 10:23.870]  sso.tax, tracks the difference
[10:23.870 --> 10:27.210]  in costs that software-as-a-service companies charge
[10:27.210 --> 10:30.530]  if the company buying their software, their customer
[10:30.530 --> 10:33.950]  wants single sign-on as a part of this.
[10:33.970 --> 10:36.590]  And so it's often two to three times more
[10:36.590 --> 10:39.190]  if you want to use single sign-on
[10:39.190 --> 10:42.670]  but sometimes can be as much as 500%
[10:42.670 --> 10:45.310]  increase in price in the case of IrrTable
[10:46.030 --> 10:48.570]  and you can see the others here.
[10:48.710 --> 10:51.490]  And just think about that for a second.
[10:51.490 --> 10:54.390]  This is something we consider as the information
[10:54.390 --> 10:57.690]  security community. We consider it a core thing
[10:57.690 --> 11:00.290]  enterprises should be doing to protect themselves
[11:00.290 --> 11:03.670]  and thereby their users. And we as an
[11:03.670 --> 11:06.590]  industry also complain when companies
[11:06.590 --> 11:09.730]  don't follow our best practices. But we're now
[11:09.730 --> 11:12.750]  adding these hurdles for them to be able to follow our best
[11:12.750 --> 11:15.690]  practices. We're saying, actually you only
[11:15.690 --> 11:18.550]  should do it if you can pay this extra.
[11:18.550 --> 11:21.730]  Otherwise you don't need this core security
[11:21.730 --> 11:22.930]  feature.
[11:26.260 --> 11:29.120]  Another example where paying
[11:29.120 --> 11:31.900]  got you more privacy or safety or security
[11:31.900 --> 11:35.740]  is that from 2013 to 2016, AT&T
[11:35.740 --> 11:38.540]  which is an internet provider here in the
[11:38.540 --> 11:41.660]  United States, they would charge you 30 to 60
[11:41.660 --> 11:44.320]  dollars more a month if you did not consent
[11:44.320 --> 11:47.400]  to their internet preferences program. So the
[11:47.400 --> 11:50.520]  internet preferences program tracked all of the web browsing
[11:50.520 --> 11:53.440]  you did, how long you spent on the website and things
[11:53.440 --> 11:56.540]  like that. And since it was at the IPSP level,
[11:56.540 --> 11:59.340]  it ignored cookie preferences, ignored do not track
[11:59.340 --> 12:02.820]  private browsing, etc. So if you consented
[12:02.820 --> 12:05.680]  to AT&T being able to gather all
[12:05.680 --> 12:08.200]  this data from you, you got to pay
[12:08.200 --> 12:10.560]  30 to 60 dollars less.
[12:10.800 --> 12:12.900]  So at the point of
[12:15.100 --> 12:17.560]  a year, that's 720 dollars
[12:17.560 --> 12:21.200]  or this article says 744 extra per year.
[12:21.560 --> 12:23.600]  I don't know a lot of people who would say,
[12:23.600 --> 12:26.620]  sure, I can pay 744 dollars a year
[12:26.620 --> 12:29.640]  for so-and-so privacy, but the ones
[12:29.640 --> 12:32.500]  who can and will and
[12:32.500 --> 12:35.640]  understand that, they get to be safe and secure
[12:35.640 --> 12:38.220]  and private. Everyone else deserves to
[12:38.220 --> 12:41.520]  have their data read
[12:41.520 --> 12:44.480]  and tracked. And so finally after, you know, multiple
[12:44.480 --> 12:47.760]  years of this program ongoing,
[12:47.760 --> 12:50.560]  AT&T was getting more bad press and they decided to
[12:50.560 --> 12:54.060]  cancel the program. But it still went on for a while,
[12:54.060 --> 12:56.520]  you know, from 2013 to 2016.
[12:57.640 --> 12:59.700]  And so this is
[12:59.700 --> 13:02.680]  where I think we all really need
[13:02.680 --> 13:05.480]  to think both individually and as an
[13:05.480 --> 13:08.500]  industry, what do our actions say? And do
[13:08.500 --> 13:11.560]  those, they match our beliefs around InfoSec
[13:11.560 --> 13:13.640]  and security and privacy.
[13:14.300 --> 13:17.620]  Because I know what I hear from others and what
[13:17.620 --> 13:20.600]  I believe is not that, oh, security
[13:21.480 --> 13:23.900]  is only for some. I continue
[13:23.900 --> 13:26.520]  to hear that security and privacy is a requirement
[13:26.520 --> 13:30.300]  and that shouldn't be a commoditized feature.
[13:30.300 --> 13:32.750]  Because while we all value it,
[13:33.120 --> 13:35.940]  it's the baseline. It's the foundation.
[13:35.940 --> 13:38.740]  You shouldn't have a minimal viable product that doesn't
[13:38.740 --> 13:41.760]  have security and privacy built in. It's not
[13:41.760 --> 13:44.760]  that extra that you can add in in version 2
[13:44.760 --> 13:47.980]  or it's only for premium users.
[13:48.180 --> 13:50.580]  So if we know there is
[13:51.200 --> 13:53.860]  a type of way to keep users safe, then they
[13:53.860 --> 13:56.720]  deserve that. If that's
[13:56.720 --> 14:00.040]  our mission and our beliefs and our values though,
[14:00.380 --> 14:02.740]  do our actions line up with that?
[14:02.740 --> 14:05.840]  Because it looks like based on these many anecdotes
[14:05.840 --> 14:08.060]  that we're actually saying
[14:08.640 --> 14:11.080]  only the rich deserve to be secure.
[14:11.600 --> 14:14.520]  And I don't think, honestly, that's what
[14:14.520 --> 14:18.080]  any of us in the community believe
[14:18.080 --> 14:20.920]  what we would go around telling. People get up on
[14:20.920 --> 14:23.840]  the stage during conference talks saying only the rich deserve
[14:23.840 --> 14:26.400]  privacy. Everyone else should have all of their internet
[14:26.400 --> 14:29.740]  behaviors tracked. But is that...
[14:29.740 --> 14:32.760]  do our actions and how we secure
[14:32.760 --> 14:35.640]  products and the products we release and the apps we
[14:35.640 --> 14:37.780]  release, do they show that?
[14:38.740 --> 14:41.720]  So security, privacy, and safety are
[14:41.720 --> 14:44.440]  our minimal viable product. Everything
[14:44.440 --> 14:47.520]  has to have them built in to be a product,
[14:47.520 --> 14:50.560]  to be an app that launched. Otherwise, we don't
[14:50.560 --> 14:52.840]  have anything that is fit to be released
[14:53.580 --> 14:56.620]  to prod, basically. And I know this
[14:56.620 --> 14:59.740]  analogy has been beaten over and over and over
[14:59.740 --> 15:02.680]  again. But what we need to do is
[15:02.680 --> 15:05.340]  treat the security, privacy, and safety
[15:05.340 --> 15:09.180]  in the same way that cars treat seatbelts.
[15:09.220 --> 15:12.380]  Yes, it costs more to add a seatbelt to a car.
[15:12.380 --> 15:14.840]  But that is the minimal accepted level.
[15:14.840 --> 15:18.000]  You can't buy a car right now that does not have seatbelts
[15:18.000 --> 15:20.240]  in. And so that's how we should treat
[15:20.240 --> 15:21.820]  security, too.
[15:24.200 --> 15:26.940]  And so, at this point, sometimes
[15:26.940 --> 15:30.380]  people say, oh, we should just all be
[15:30.380 --> 15:33.360]  apolitical. If that straw man argument
[15:33.360 --> 15:36.220]  is coming up, then I would just like you
[15:36.220 --> 15:39.240]  to think about the fact that all we're talking
[15:39.240 --> 15:42.040]  about is addressing the inequities that
[15:42.040 --> 15:45.220]  can occur for different groups of people when
[15:45.220 --> 15:48.060]  we're trying to secure products. Our job is to be
[15:48.060 --> 15:51.080]  security engineers or other types of professionals in
[15:51.080 --> 15:54.000]  the information security community. So talking about
[15:54.000 --> 15:57.300]  those impacts, I don't think that's political.
[15:57.660 --> 16:00.180]  If you do, then sure, InfoSec
[16:00.180 --> 16:02.820]  is inherently political.
[16:02.900 --> 16:06.400]  But these conversations about having a
[16:06.400 --> 16:09.200]  specific group we're trying to protect have been around
[16:09.200 --> 16:12.280]  since the beginning of the industry and the community
[16:12.280 --> 16:15.380]  because we've always had set users that
[16:15.380 --> 16:18.620]  we're hoping to secure further or
[16:18.620 --> 16:20.140]  provide more privacy for.
[16:20.140 --> 16:23.220]  And so let's look at some of that and how that's
[16:23.220 --> 16:26.260]  framed that we've always had a user in mind.
[16:26.520 --> 16:29.420]  So first, we can go back to 2002
[16:29.420 --> 16:32.340]  when Hato Bismo, a branch off from the
[16:32.340 --> 16:35.260]  cult of the dead cow, launched the 6-4 system.
[16:35.260 --> 16:37.320]  So the 6-4 system is a network
[16:38.320 --> 16:40.780]  proxy built to evade censorship
[16:40.780 --> 16:44.260]  and the protocol was named 6-4 to remember
[16:44.260 --> 16:46.980]  the massacre at Tiananmen Square, which occurred on
[16:46.980 --> 16:49.520]  June 4th, therefore 6-4.
[16:50.900 --> 16:53.360]  And one of the main reasons
[16:53.360 --> 16:55.940]  at least that I've read that this was created
[16:55.940 --> 16:58.800]  was to specifically help users
[16:58.800 --> 17:01.960]  who are living in countries that have heavy censorship
[17:01.960 --> 17:05.420]  of the internet, like China and Iran.
[17:07.180 --> 17:08.240]  And fast forward
[17:08.240 --> 17:11.240]  to today, here's another example of having a very
[17:11.240 --> 17:14.040]  clear user base of who you're trying to protect
[17:14.040 --> 17:17.000]  in mind. It's even in the advertisement
[17:17.000 --> 17:20.080]  top of the page. A few years ago, Google
[17:20.080 --> 17:23.080]  launched the Advanced Protection Program and it's
[17:23.080 --> 17:25.980]  specifically to protect and secure
[17:25.980 --> 17:29.120]  those at risk of targeted attacks.
[17:29.120 --> 17:32.000]  So journalists, political campaign leaders,
[17:32.000 --> 17:33.940]  activists, etc.
[17:36.440 --> 17:37.900]  And again,
[17:37.900 --> 17:40.820]  here's another example from the early days of our industry
[17:40.820 --> 17:43.640]  until now, that generally as a community
[17:43.640 --> 17:46.740]  we have come together to fight against
[17:46.740 --> 17:49.300]  DRM and fight for
[17:50.220 --> 17:52.640]  consumers. So we're not
[17:52.640 --> 17:55.660]  going through and trying to protect the companies that
[17:55.660 --> 17:58.700]  are building DRM into their devices
[17:58.700 --> 18:02.040]  like a refrigerator, Windows 95,
[18:02.040 --> 18:05.720]  video games, John Deere tractors.
[18:06.120 --> 18:07.840]  Hackers are generally trying to
[18:07.840 --> 18:10.220]  find bypasses for these to protect
[18:10.220 --> 18:13.320]  and fight for those consumers and the customers who have
[18:13.640 --> 18:15.840]  bought or used these products.
[18:17.660 --> 18:19.360]  And all of those examples
[18:19.360 --> 18:22.640]  of having a clear user base in mind of who we're
[18:22.640 --> 18:25.500]  trying to protect comes to finally
[18:25.500 --> 18:28.340]  threat modeling. Threat modeling is a very
[18:28.340 --> 18:31.900]  basic but integral and probably required
[18:31.900 --> 18:34.160]  part of our jobs when we're looking to give
[18:34.160 --> 18:37.440]  advice, suggestions, or build new security
[18:38.940 --> 18:40.640]  things into what we're
[18:40.640 --> 18:43.620]  deploying. And in the threat
[18:43.620 --> 18:46.460]  model, you're trying to decide what
[18:46.460 --> 18:49.240]  are all these threats to the thing I'm trying to protect?
[18:49.340 --> 18:52.340]  So to be able to create that threat model, you have to know
[18:52.340 --> 18:56.100]  really well the exact group you're trying to protect.
[18:56.340 --> 18:58.000]  Threat models shouldn't be,
[18:58.000 --> 19:00.960]  I'm trying to protect everyone that exists on this globe.
[19:00.960 --> 19:03.460]  That would be a terrible threat model because we all are
[19:03.460 --> 19:07.240]  different human beings with different concerns, different threats,
[19:07.240 --> 19:09.600]  and that's just the way it is.
[19:09.600 --> 19:12.980]  So I hope through this talk you're not taking that Maddy is saying
[19:12.980 --> 19:16.300]  our threat models have to be every single human.
[19:16.300 --> 19:19.700]  The point is that first identifying,
[19:19.700 --> 19:21.780]  like we do, exactly who
[19:21.780 --> 19:24.600]  is the person we have in mind
[19:24.600 --> 19:27.840]  that we're creating these security features for and are thus
[19:27.840 --> 19:29.820]  trying to protect.
[19:30.940 --> 19:33.920]  And the key of that is that though,
[19:33.920 --> 19:37.400]  once we make that choice of who is protected,
[19:37.400 --> 19:40.040]  we also need to acknowledge and take ownership
[19:40.040 --> 19:43.420]  that that is also making a choice of who is not protected.
[19:43.540 --> 19:45.860]  Because when we're building security
[19:45.860 --> 19:49.080]  and new products and features for a certain
[19:49.080 --> 19:52.100]  group of people, inherently another is excluded.
[19:52.860 --> 19:55.320]  So for example, Google Advanced Protection,
[19:55.320 --> 19:58.220]  that's not bad because not everyone needs
[19:58.220 --> 20:01.180]  all of that protection and some would actually find it
[20:01.180 --> 20:04.640]  very frustrating to use.
[20:04.820 --> 20:07.360]  But that is a decision and an ownership of
[20:07.360 --> 20:10.240]  okay, it's the people who choose to opt in
[20:10.240 --> 20:13.320]  who view themselves as at risk of targeted
[20:13.320 --> 20:15.560]  attacks or fall into one of these
[20:16.320 --> 20:19.600]  certain categories like working on a political campaign.
[20:20.600 --> 20:22.420]  But we do need to address this
[20:24.900 --> 20:26.680]  because the ability for
[20:26.680 --> 20:29.260]  us to make those choices is
[20:29.260 --> 20:32.420]  inherently a power and a privilege because others
[20:32.420 --> 20:35.640]  don't get to make that choice necessarily whether or not they're
[20:35.640 --> 20:38.670]  included in these groups that we're trying to protect.
[20:39.060 --> 20:41.480]  And when some people are protected and secure and
[20:41.480 --> 20:44.620]  others aren't, that's going to continue
[20:44.620 --> 20:47.200]  to grow the systemic inequality
[20:47.200 --> 20:50.520]  that we see around the world. So let's look at some
[20:50.520 --> 20:53.540]  side effects of security decisions when
[20:53.540 --> 20:56.280]  you have in mind a clear group you're trying to protect
[20:56.280 --> 20:59.840]  but maybe don't think about all the implications for others.
[21:00.860 --> 21:02.860]  So first,
[21:02.860 --> 21:05.860]  Rite Aid uses facial recognition in secret
[21:05.860 --> 21:08.280]  across hundreds of its stores.
[21:08.580 --> 21:12.480]  So Rite Aid deployed this, you know, to protect themselves.
[21:12.540 --> 21:14.340]  They said in this article
[21:14.340 --> 21:17.180]  that their concern and their reasoning was
[21:17.180 --> 21:19.940]  we need to protect ourselves from theft
[21:19.940 --> 21:23.260]  and we also need to protect our staff and our customers
[21:23.260 --> 21:26.160]  from violence. So that's their security
[21:26.160 --> 21:28.680]  concerns. But
[21:28.680 --> 21:32.260]  if that's who is quote-unquote being protected,
[21:32.260 --> 21:35.080]  it's Rite Aid, they're actually sacrificing
[21:35.080 --> 21:38.220]  all of the privacy of their customers in order to have
[21:38.220 --> 21:40.560]  that security for themselves.
[21:41.220 --> 21:41.380]  And
[21:44.000 --> 21:45.820]  if you read this article
[21:45.820 --> 21:48.340]  and it even says in this headline, this wasn't deployed
[21:48.340 --> 21:51.340]  equally. It was predominantly used in
[21:51.340 --> 21:54.480]  low-income and non-white neighborhoods. And so
[21:54.480 --> 21:57.520]  it's furthering a gap that, oh, we're just worried about
[21:57.520 --> 21:59.140]  theft and
[22:01.040 --> 22:03.840]  violence in non-white, low-income
[22:03.840 --> 22:06.740]  neighborhoods and so we don't need to worry about it there
[22:06.740 --> 22:10.060]  and thus we're sacrificing these people's privacy.
[22:10.060 --> 22:12.800]  But I think if you took a step back
[22:12.800 --> 22:16.060]  and let's say we're security engineers
[22:16.060 --> 22:19.320]  tasked with this problem. How do we help protect Rite Aid
[22:19.320 --> 22:22.120]  from theft? How do we help protect
[22:22.120 --> 22:24.840]  them from violence occurring in the stores?
[22:25.240 --> 22:28.100]  I think we could come up with a lot of different
[22:28.100 --> 22:30.260]  other solutions that could help
[22:31.000 --> 22:34.120]  protect themselves without sacrificing
[22:34.120 --> 22:38.000]  the customers' privacy in the process.
[22:39.380 --> 22:42.120]  Another example is parent or child
[22:42.120 --> 22:45.100]  protection apps. I have a lot of feelings about
[22:45.100 --> 22:48.060]  these apps but I'm not going to get into that now because I'm
[22:48.060 --> 22:51.120]  not a parent. But the
[22:51.120 --> 22:54.120]  whole premise is these are built for the customer
[22:54.120 --> 22:56.700]  which is the parent or the adult guardian
[22:56.700 --> 22:59.760]  to install on their child's mobile devices
[22:59.760 --> 23:03.200]  in order to try and keep the child
[23:03.200 --> 23:06.200]  safe. But if the parent is the one responsible
[23:06.200 --> 23:09.260]  and the customer, it's actually built to address
[23:09.260 --> 23:11.860]  what the parent thinks the kid's threat model is
[23:11.860 --> 23:14.800]  not actually who the user
[23:14.800 --> 23:17.900]  of the device's threat model. And so that can have
[23:17.900 --> 23:21.020]  unintended consequences or maybe intended but
[23:21.020 --> 23:24.280]  we'll go with unintended consequences on whoever
[23:24.280 --> 23:27.140]  is using the device and has this application
[23:27.140 --> 23:30.220]  installed on their own device.
[23:31.180 --> 23:34.240]  So for example
[23:34.820 --> 23:37.980]  in here it's saying this app gives you
[23:37.980 --> 23:41.500]  the ability to listen to the surroundings
[23:41.500 --> 23:44.060]  of whoever is using this app.
[23:44.140 --> 23:48.060]  What? That's turning on the microphone and listening?
[23:48.520 --> 23:50.440]  While the folks securing and building
[23:50.440 --> 23:53.480]  this app may be intending that this
[23:53.480 --> 23:56.600]  app is only used in consensual relationships.
[23:56.640 --> 23:59.460]  The kid gets the phone, the parent talks to the
[23:59.460 --> 24:02.460]  kid of you can have this phone but I'm going to be
[24:02.460 --> 24:05.300]  monitoring these different behaviors for you
[24:05.300 --> 24:08.280]  to be able to use this phone. Hopefully that's what they're
[24:08.280 --> 24:11.260]  building for. That doesn't mean that's the only way
[24:11.260 --> 24:14.460]  this technology will be used. What's the
[24:14.460 --> 24:17.420]  difference in the technology at the base level
[24:17.420 --> 24:20.400]  between spyware and stalkerware? Instead
[24:20.400 --> 24:22.500]  you're depending on
[24:23.800 --> 24:27.320]  the users to only use it in a way
[24:27.320 --> 24:29.280]  in which you're building it.
[24:29.280 --> 24:32.380]  As a woman in my 20s, I have had friends
[24:32.380 --> 24:35.180]  who have stalkerware installed on their phones
[24:35.180 --> 24:38.380]  but it looks and it brands itself as a child protection
[24:38.380 --> 24:41.000]  app. And also do the people
[24:41.000 --> 24:44.060]  building this and the security and the threat model of
[24:44.060 --> 24:47.200]  their users also consider the
[24:48.080 --> 24:50.540]  reality that sometimes the adult
[24:50.540 --> 24:53.520]  parent and guardian doesn't have the child's best interests
[24:53.520 --> 24:56.280]  at heart. These also have been
[24:56.280 --> 24:58.700]  said to be used in child traffic
[24:59.160 --> 25:02.360]  wings. And so when we make compromises
[25:02.360 --> 25:05.180]  and sacrifices for a single
[25:05.180 --> 25:08.040]  use case such as, oh
[25:08.040 --> 25:11.280]  I don't love this idea but it's only going to be used by
[25:11.280 --> 25:14.360]  parents who have a kid who consents to have it on their
[25:14.360 --> 25:17.240]  phone because otherwise they wouldn't have the phone. If
[25:17.240 --> 25:20.080]  we're building only for that use case but there's
[25:20.080 --> 25:23.240]  nothing making that app only be used in that
[25:23.240 --> 25:26.700]  use case, then we're still causing harm.
[25:26.700 --> 25:29.260]  And so there's no guarantees that code will be
[25:29.260 --> 25:31.820]  built the way we intend it to be built.
[25:33.440 --> 25:35.260]  So, headline
[25:35.260 --> 25:38.360]  kind of says it all. United States government funded
[25:38.360 --> 25:41.400]  phones come pre-installed with unremovable malware.
[25:41.580 --> 25:44.280]  So there is a program or there was
[25:44.280 --> 25:47.160]  in the United States that if you were low income
[25:47.160 --> 25:49.980]  if you didn't have the means to get yourself a phone
[25:49.980 --> 25:53.180]  the US government would provide you with a smartphone
[25:53.180 --> 25:56.160]  based on Android. You know, cheaper
[25:56.160 --> 25:58.620]  phones, not the flagships and
[25:58.620 --> 26:02.260]  lo and behold they come pre-installed with unremovable malware.
[26:02.680 --> 26:05.260]  So this is one of those things
[26:05.260 --> 26:08.000]  where I hope that
[26:08.000 --> 26:10.860]  the government wasn't intending to
[26:10.860 --> 26:14.300]  install malware on each of these devices.
[26:14.300 --> 26:17.300]  I hope that
[26:17.300 --> 26:20.180]  they were trying to give phone and technology
[26:20.180 --> 26:23.500]  access. But because of
[26:23.500 --> 26:26.360]  how cheaper devices
[26:26.360 --> 26:29.120]  have begun to subsidize themselves by installing
[26:29.120 --> 26:31.640]  whatever people will pay them to install
[26:31.640 --> 26:34.660]  we have now harmed the privacy and security
[26:35.170 --> 26:37.680]  of these users who really
[26:37.680 --> 26:41.080]  were already in a tough spot in society
[26:41.080 --> 26:43.380]  and trying to live their lives.
[26:43.380 --> 26:46.700]  So Strava. Even on their website
[26:46.700 --> 26:49.620]  the Strava app says they build
[26:49.620 --> 26:52.560]  for athletes. So that's their user base
[26:52.560 --> 26:55.080]  in mind. That's who they're trying to protect
[26:55.080 --> 26:58.200]  when they're securing this application and the data
[26:58.200 --> 27:01.460]  that is stored that comes from it.
[27:02.000 --> 27:04.000]  But when you just think about
[27:04.000 --> 27:07.540]  securing for athletes, that's only one
[27:07.540 --> 27:10.520]  part of who someone is. So we really need
[27:10.520 --> 27:12.780]  to take into account the intersectionality
[27:12.780 --> 27:15.640]  of all of us as humans. Because
[27:16.400 --> 27:19.540]  as a female athlete, I get very
[27:19.540 --> 27:22.580]  concerned about my location data being able
[27:22.580 --> 27:25.240]  to be tracked by anyone else. Military
[27:25.240 --> 27:28.260]  personnel want to be athletes, want to have
[27:28.260 --> 27:31.020]  the features of the Strava application
[27:31.320 --> 27:34.000]  but I bet it wasn't considered that
[27:34.300 --> 27:37.120]  although the data on the heat maps that are open to the public
[27:37.120 --> 27:40.260]  and on the internet that are seen is aggregated
[27:40.260 --> 27:43.220]  that aggregation meant that you could
[27:43.220 --> 27:46.360]  end up seeing where military bases
[27:46.360 --> 27:49.300]  were abroad when all these different
[27:49.300 --> 27:51.540]  military personnel, who are also athletes
[27:51.940 --> 27:55.340]  were going for their jogs at the end of the day.
[27:58.040 --> 28:00.020]  And here's another example
[28:00.020 --> 28:03.180]  of just how far
[28:03.180 --> 28:06.200]  our specific choices in security
[28:06.200 --> 28:09.600]  can go. So Pixel phones as well as many
[28:09.600 --> 28:12.400]  other devices have a support period where they
[28:12.400 --> 28:15.660]  guarantee you will have security updates for this amount
[28:15.660 --> 28:18.500]  of time. In this case, the Pixel phones
[28:18.500 --> 28:21.120]  have three years from the release date
[28:21.120 --> 28:24.440]  or at least 18 months from the time it's last sold on
[28:24.440 --> 28:26.980]  the Google store. So
[28:26.980 --> 28:30.640]  you know, as a community, I think one of the most basic things
[28:30.640 --> 28:33.340]  we say to users is you should only be
[28:33.340 --> 28:36.240]  using devices that get security updates or else
[28:36.240 --> 28:39.460]  you're kind of asking for trouble. But we also
[28:39.460 --> 28:42.400]  are shortening sometimes these periods that the
[28:42.400 --> 28:45.200]  updates are available for things like phones
[28:45.200 --> 28:48.520]  and computers and devices. And so
[28:48.520 --> 28:50.860]  the first obvious impact that
[28:50.860 --> 28:54.620]  this choice of doing three years of security
[28:54.620 --> 28:57.800]  updates may have is on those
[28:57.800 --> 29:00.540]  again, lower income or don't
[29:00.540 --> 29:03.320]  have access to buying phones quickly
[29:03.320 --> 29:06.100]  and regularly or even just communities
[29:06.100 --> 29:09.560]  which sometimes can be elder
[29:09.560 --> 29:12.460]  adults who are not used to and don't
[29:12.460 --> 29:15.260]  realize they need to be updating a phone
[29:15.260 --> 29:18.500]  every three years. And they actually prefer the older ones because they
[29:18.500 --> 29:22.260]  know how to use them and it's more intuitive to them.
[29:22.440 --> 29:24.720]  So those are some of the obvious impacts
[29:24.720 --> 29:27.800]  to users that we might not be building for or choosing
[29:27.800 --> 29:31.080]  security for. But these decisions go that much
[29:31.080 --> 29:33.940]  further. If we're getting new
[29:33.940 --> 29:36.620]  phones every three years or faster
[29:36.620 --> 29:40.000]  that generates a lot of e-waste. And so
[29:40.000 --> 29:42.860]  while climate change is such a big
[29:42.860 --> 29:45.480]  thing, the more e-waste we generate
[29:45.480 --> 29:49.720]  the more negative impacts that has on our environment.
[29:50.000 --> 29:51.840]  And the environment
[29:51.840 --> 29:55.060]  and climate change doesn't impact all of us equally.
[29:55.060 --> 29:58.160]  There's already been a lot of research out that generally
[30:00.280 --> 30:01.400]  communities already
[30:01.400 --> 30:04.300]  in tougher positions, lower socioeconomic
[30:04.300 --> 30:07.100]  status, generally communities of color
[30:07.100 --> 30:10.180]  are the ones that are hit the hardest by the
[30:10.180 --> 30:13.440]  environment and climate change. And yet
[30:13.440 --> 30:15.700]  it's those of us predominantly
[30:17.940 --> 30:19.400]  in US and
[30:19.400 --> 30:22.880]  Western Europe who are buying and disposing of these phones.
[30:22.880 --> 30:26.000]  And so our security decisions end up impacting
[30:26.000 --> 30:29.180]  these people, you know, on other places
[30:29.180 --> 30:32.020]  who might have nothing to do and have never
[30:32.020 --> 30:35.760]  interacted with these phones or devices in the first place.
[30:37.100 --> 30:37.580]  So
[30:38.520 --> 30:41.100]  those were a lot of examples. Not so
[30:41.100 --> 30:44.260]  happy, not so negative. But you might be saying to me
[30:44.260 --> 30:47.060]  because, you know, I've said it to myself as I try to work
[30:47.060 --> 30:50.500]  through these things myself. I'm just one person.
[30:50.500 --> 30:53.200]  I just work on securing a single app with only
[30:53.420 --> 30:56.360]  a thousand users. I'm just a manager of a little
[30:56.360 --> 30:59.320]  team. I'm not an exec. I'm not the director
[30:59.320 --> 31:02.500]  of security. I'm just a document writer.
[31:02.500 --> 31:05.000]  All those different things. And you might say
[31:05.320 --> 31:08.100]  I'm just making little choices. They don't have that big
[31:08.100 --> 31:11.240]  of an impact. It's none of the examples you have listed here.
[31:12.160 --> 31:14.560]  But the issue becomes
[31:14.560 --> 31:17.220]  that each of our choices become
[31:17.220 --> 31:19.940]  patterns and the norm and the status quo
[31:19.940 --> 31:24.060]  for how we expect products to be developed and released.
[31:24.300 --> 31:26.380]  So you might think, oh, I'm
[31:26.380 --> 31:29.320]  just making this little sacrifice, a compromise to get this
[31:29.320 --> 31:32.240]  product out the door for me. Our app doesn't impact
[31:32.240 --> 31:35.260]  all that many people. So it's good. But
[31:35.260 --> 31:38.680]  that choice then gives a precedent or a
[31:38.680 --> 31:41.660]  permission for others to make the same one and
[31:41.660 --> 31:44.340]  make those same compromises or those same
[31:44.340 --> 31:47.100]  sacrifices for a different group of people.
[31:47.460 --> 31:50.360]  And unfortunately, because this
[31:50.360 --> 31:53.300]  technology is so built into
[31:53.300 --> 31:56.400]  our ability to thrive, each of those
[31:56.400 --> 31:59.140]  little choices become systemic
[31:59.140 --> 32:02.140]  inequities. And they end up having huge
[32:02.140 --> 32:04.860]  society ramifications.
[32:05.200 --> 32:08.360]  So for example, in general, I've been guilty of it
[32:08.360 --> 32:11.340]  myself and I'm working on it too, but
[32:11.340 --> 32:14.020]  I have to acknowledge I've said, yeah,
[32:14.020 --> 32:17.380]  we accept that lower priced devices are less secure
[32:17.380 --> 32:19.940]  and that's because of the business model.
[32:19.960 --> 32:23.260]  They can't do everything. We accept
[32:23.260 --> 32:26.260]  that there is more risk to women for any apps
[32:26.260 --> 32:29.480]  that choose to track location.
[32:29.840 --> 32:32.680]  We accept that biometric
[32:32.680 --> 32:35.300]  security technologies aren't as effective
[32:35.300 --> 32:36.980]  on non-white faces.
[32:36.980 --> 32:39.960]  But each of these acceptances
[32:39.960 --> 32:42.980]  means that we are creating a system
[32:42.980 --> 32:45.700]  that accepts that
[32:45.700 --> 32:49.220]  not everyone deserves the same level of
[32:49.220 --> 32:51.940]  safety, security, and privacy.
[32:51.940 --> 32:55.120]  And we are compounding the previously
[32:55.120 --> 32:57.980]  and already existing systemic injustices
[32:58.640 --> 33:01.440]  and inequality through this technology.
[33:01.440 --> 33:04.460]  So instead of shrinking that gap as technology
[33:04.460 --> 33:07.420]  can, we continue to widen it.
[33:08.320 --> 33:09.960]  And it's easier
[33:09.960 --> 33:13.280]  and it's easier a lot of the time to believe,
[33:13.280 --> 33:16.320]  you know, I'm just making this decision or one little
[33:16.320 --> 33:19.180]  sacrifice for one product. And there are so many other
[33:19.180 --> 33:21.720]  products and other people working in this space.
[33:22.260 --> 33:24.440]  But we lean on each other
[33:25.220 --> 33:28.460]  and it ends up growing and growing and showing others
[33:28.460 --> 33:31.540]  what's cool, what's okay. And that's how we end up
[33:31.540 --> 33:34.440]  with having these extreme gaps
[33:34.440 --> 33:37.460]  in how people are able to access
[33:39.360 --> 33:41.780]  technology privately and securely.
[33:43.160 --> 33:44.240]  So an example
[33:44.240 --> 33:47.940]  of how our choices for security and technology
[33:47.940 --> 33:50.800]  end up having huge ramifications
[33:50.800 --> 33:53.660]  is that in both the United States and Europe,
[33:53.660 --> 33:56.700]  many are now using artificial intelligence algorithms
[33:56.700 --> 33:59.600]  to decide on what punishments a person should
[33:59.600 --> 34:02.340]  receive after breaking the law. So these are things like
[34:02.340 --> 34:06.380]  how much or if they should have bail,
[34:06.380 --> 34:08.720]  what is their sentencing,
[34:08.720 --> 34:11.660]  are they eligible for parole? This has now been
[34:11.660 --> 34:14.940]  pushed off to algorithms. But we as humans
[34:14.940 --> 34:17.520]  write these algorithms. And so these algorithms
[34:17.520 --> 34:20.760]  are saying, that have been written by humans, are deciding
[34:20.760 --> 34:23.480]  whether or not we believe this person
[34:23.480 --> 34:26.680]  can be rehabilitated to become a contributing member
[34:26.680 --> 34:29.660]  of society. And this algorithm is saying whether or not
[34:29.660 --> 34:32.920]  this person will commit a crime. But since
[34:32.920 --> 34:36.360]  we're coding all of these algorithms,
[34:36.360 --> 34:38.020]  they're going to bring the
[34:39.200 --> 34:41.620]  reflections of the team that's writing them.
[34:41.620 --> 34:44.820]  And the reflections of that security team who's looking at it
[34:44.820 --> 34:48.620]  and assessing it. Because, for example,
[34:48.620 --> 34:50.680]  I'm a white woman from the US
[34:50.680 --> 34:54.160]  for Canada Tech Company. If I'm writing the algorithm,
[34:54.160 --> 34:57.280]  I know I'm innocent. So I'm probably going to assume that people like
[34:57.280 --> 34:59.640]  me are innocent too and deserve
[35:00.140 --> 35:03.220]  shorter sentences. And so if our team all looks like
[35:03.220 --> 35:06.020]  me or only a few groups of people, then we're
[35:06.020 --> 35:09.100]  probably going to write our algorithm to contribute to
[35:09.100 --> 35:12.620]  just those... to give shorter sentences
[35:12.620 --> 35:15.200]  for the people who are like us and it's
[35:15.200 --> 35:18.160]  the others who are harmed.
[35:18.640 --> 35:21.360]  And I use another slide of emphasizing the same
[35:21.360 --> 35:24.480]  thing because this impact is just so
[35:24.480 --> 35:27.320]  huge. This is life or death.
[35:27.320 --> 35:30.060]  Having to go to prison or not.
[35:30.160 --> 35:33.300]  And it also causes generational trauma that goes across
[35:33.300 --> 35:36.060]  families for years and years and years.
[35:36.060 --> 35:38.820]  And so we really make sure that we are
[35:39.100 --> 35:42.060]  looking at our choices and understanding each of the
[35:42.060 --> 35:44.720]  consequences. Those consequences can be good
[35:45.160 --> 35:48.320]  or those consequences can be bad. But our choices
[35:48.320 --> 35:51.580]  create systemic problems.
[35:53.020 --> 35:55.260]  Another example of a systemic issue
[35:55.260 --> 35:58.260]  is, you know, in general,
[35:58.260 --> 36:01.880]  sex workers are discriminated against.
[36:01.880 --> 36:04.020]  And this article from Airbnb is just another
[36:04.020 --> 36:07.080]  example of that. So Airbnb developed an
[36:07.080 --> 36:09.480]  algorithm. They actually bought it. They used it and then bought it
[36:09.480 --> 36:12.280]  to try and determine how trustworthy
[36:13.280 --> 36:15.600]  a potential guest might be.
[36:15.600 --> 36:18.640]  Okay, let's put our Airbnb security
[36:18.640 --> 36:21.880]  engineer hat on as we've done for some of the other companies.
[36:22.320 --> 36:24.620]  Our goal is to make sure
[36:24.760 --> 36:27.880]  a host's home and property is safe. That's the goal.
[36:27.880 --> 36:30.760]  We probably won't keep hosts coming back if
[36:30.760 --> 36:33.600]  there's a high likelihood that they'll be
[36:33.600 --> 36:36.420]  stolen from, their house destroyed, things like that.
[36:36.420 --> 36:39.700]  So we're going to use an algorithm to decide whether or not
[36:39.700 --> 36:43.220]  the guests are trustworthy and thus should be allowed to rent.
[36:43.920 --> 36:47.660]  But along the way, while building this algorithm,
[36:47.660 --> 36:50.140]  we decide that sex workers mean
[36:50.140 --> 36:53.240]  they are untrustworthy. It doesn't matter
[36:53.240 --> 36:56.400]  if the sex worker is not using
[36:56.400 --> 36:59.160]  this for sex work. They just want to go along with their life.
[36:59.160 --> 37:01.320]  It does not matter if
[37:02.120 --> 37:05.160]  we are in a country where sex work is legal.
[37:05.160 --> 37:07.640]  We have decided through this algorithm that
[37:08.140 --> 37:10.720]  sex work equals untrustworthy.
[37:10.720 --> 37:13.740]  And thus, they don't have access to units. There can be
[37:13.740 --> 37:16.760]  random cancellations that put them at further harm
[37:16.760 --> 37:19.960]  if they've already arrived in the city or location and thus no longer
[37:19.960 --> 37:22.860]  have lodging. But that's the decision we've made
[37:22.860 --> 37:25.780]  in our algorithm. And the thing is, is that
[37:25.780 --> 37:28.600]  that continues to allow permission for then
[37:28.600 --> 37:32.220]  other companies to say, oh yeah, they did it so we can do it too.
[37:32.220 --> 37:34.860]  They're sex work. It's a category. We don't trust them.
[37:34.860 --> 37:37.600]  We don't allow them. And I think we see this.
[37:37.600 --> 37:39.880]  We see it over and over again, how
[37:40.720 --> 37:43.900]  sex workers are discriminated against.
[37:45.960 --> 37:46.400]  And so
[37:46.400 --> 37:49.640]  in this case, we're coming back to the
[37:49.820 --> 37:52.740]  e-waste anecdote we discussed earlier regarding
[37:52.740 --> 37:55.840]  security updates and their support periods.
[37:56.300 --> 37:58.840]  And so based on this graph, we can see that
[37:58.840 --> 38:01.440]  North America, Western Europe, Australia
[38:01.440 --> 38:04.480]  and Japan and South Korea are generally the biggest
[38:04.480 --> 38:07.460]  producers of e-waste.
[38:07.460 --> 38:10.400]  But they don't keep the e-waste to themselves
[38:10.400 --> 38:13.240]  or ourselves. We send it off
[38:13.240 --> 38:17.120]  to other countries and we pay them to accept it.
[38:17.300 --> 38:19.440]  And so then those other countries, which
[38:19.440 --> 38:22.360]  you know, Eastern Africa, I mean
[38:22.360 --> 38:24.580]  Western Africa, I always forget my East and West
[38:25.560 --> 38:27.120]  and Southeast Asia
[38:28.340 --> 38:31.480]  are two of the places that predominantly receives this
[38:31.480 --> 38:34.720]  and they're also at huge risk from climate change.
[38:34.720 --> 38:37.480]  But we're saying, hey, now y'all have to figure
[38:37.480 --> 38:40.400]  out how to deal with all of these toxic metals
[38:40.400 --> 38:42.960]  and parts that are within
[38:43.300 --> 38:46.340]  all of these devices and you're also
[38:46.340 --> 38:48.620]  going to be the ones hurt by climate change.
[38:50.480 --> 38:52.120]  But lastly,
[38:52.120 --> 38:55.440]  to hopefully get you on board and one more
[38:55.440 --> 38:58.580]  way of... we're at this precipice
[38:58.580 --> 39:01.480]  and we might be a few years past it where
[39:02.420 --> 39:04.720]  everything is becoming reliant on
[39:04.720 --> 39:07.560]  technology. We can't say, oh
[39:07.560 --> 39:10.700]  people are generally going to be safe and secure because they can choose not to
[39:10.700 --> 39:13.680]  use it. They can choose to only buy
[39:13.680 --> 39:16.440]  the expensive ones or else they're fine without
[39:16.440 --> 39:19.680]  any device. That's not where
[39:19.680 --> 39:22.660]  we are or where we're going. You know, in the United
[39:22.660 --> 39:25.400]  States, there's a lot of talk about moving to mobile
[39:25.400 --> 39:27.980]  drivers license. There's been different
[39:27.980 --> 39:31.400]  efforts to move to mobile passports. And so it will
[39:31.400 --> 39:34.420]  take extra effort and cause extra money
[39:34.420 --> 39:37.440]  to have to go and get a physical card if
[39:37.440 --> 39:40.420]  that's even allowed in the future. Even
[39:40.420 --> 39:43.480]  with coronavirus, just in the last couple of months, a lot of
[39:43.480 --> 39:46.300]  restaurants and retailers have decided to
[39:46.300 --> 39:48.840]  stop accepting cash just because of
[39:49.400 --> 39:52.480]  perceived virus transmission. And this hurts
[39:52.480 --> 39:55.540]  communities that either don't have access to banks
[39:55.540 --> 39:58.700]  or have a lot of reason not to
[39:58.700 --> 40:01.600]  trust that banks are safe for them and who have been
[40:01.600 --> 40:04.300]  wholly reliant on cash. We're again
[40:04.300 --> 40:07.520]  leaving them behind and saying, oh yeah, you
[40:07.520 --> 40:10.620]  don't need to participate in the economy because we've decided to go
[40:10.620 --> 40:13.760]  cashless. And another example
[40:13.760 --> 40:16.440]  is airlines.
[40:16.520 --> 40:18.960]  So in this case, this is Ryanair.
[40:18.960 --> 40:21.960]  And if you don't have an online boarding
[40:21.960 --> 40:25.020]  pass and you need the airline to print it
[40:25.020 --> 40:28.240]  for you at the airport, you know, how things were done
[40:28.860 --> 40:30.880]  six, seven years ago and was
[40:30.880 --> 40:33.940]  the norm, it will now cost you an additional 20
[40:33.940 --> 40:37.060]  pounds. So if you don't have technology, you
[40:37.060 --> 40:40.220]  are further penalized and charged for that.
[40:42.160 --> 40:43.560]  So what do we do?
[40:43.560 --> 40:46.260]  I told you I didn't want to just present problems
[40:46.260 --> 40:49.640]  with no solutions.
[40:50.340 --> 40:52.580]  And I'm guessing you, like me,
[40:52.580 --> 40:55.460]  are probably in the spot of, Maddie,
[40:55.460 --> 40:58.380]  this problem area is so huge.
[40:58.380 --> 41:01.260]  How do we even begin to confront
[41:01.260 --> 41:04.400]  it? And the first thing I want to do is remind us that
[41:04.400 --> 41:07.260]  we are in this powerful place
[41:07.260 --> 41:10.240]  of privilege and that the choice is
[41:10.240 --> 41:13.600]  up to us to address it. If we don't, no one else is.
[41:13.600 --> 41:16.600]  No one else can fix this because we are the ones who
[41:16.600 --> 41:20.060]  are in charge of information security.
[41:20.380 --> 41:22.440]  But this is also an exciting gift
[41:22.440 --> 41:25.000]  even if it might feel like a lot of responsibility
[41:25.600 --> 41:28.280]  because that means we don't have to sit here hopeless.
[41:28.580 --> 41:31.660]  We actually have the control personally to be
[41:31.660 --> 41:34.040]  able to start fighting for this new future
[41:34.600 --> 41:37.920]  where we believe that regardless of
[41:38.700 --> 41:40.560]  geolocation, race, gender, sexual
[41:40.560 --> 41:43.660]  orientation, ability, religion, and all
[41:43.660 --> 41:46.800]  the other different aspects that make us beautiful, diverse
[41:46.800 --> 41:49.840]  humans, if you have safe and secure access
[41:49.840 --> 41:52.820]  to the Internet, oh, what a beautiful world
[41:52.820 --> 41:56.360]  that would be. And so let's build it.
[41:56.840 --> 41:58.700]  We set the standards that
[41:58.700 --> 42:01.720]  security and privacy is a fundamental right,
[42:01.760 --> 42:04.720]  a fundamental foundation requirement. Nothing goes out
[42:04.720 --> 42:07.980]  that doesn't have security and privacy built in for it all.
[42:07.980 --> 42:10.980]  And this ultimately helps us, too, if you need
[42:10.980 --> 42:13.840]  the selfish argument. Because if we ensure that
[42:13.840 --> 42:17.040]  security and privacy is set in a fundamental right
[42:17.040 --> 42:20.060]  for everyone, if we're ever on
[42:20.060 --> 42:22.700]  the hook and on that precipice, we know it's guaranteed
[42:22.700 --> 42:25.300]  for us, too. So I hope
[42:26.120 --> 42:29.080]  5, 10, 15, 50, 20,
[42:29.080 --> 42:32.040]  however many years from now, we're going to have that option
[42:32.040 --> 42:35.060]  hopefully to look back and say,
[42:35.060 --> 42:37.820]  huh, I really helped there.
[42:37.820 --> 42:40.940]  I pushed for it and now we're living in this world where
[42:40.940 --> 42:44.200]  everyone has security and privacy.
[42:44.480 --> 42:46.420]  Or we can look back and say,
[42:46.860 --> 42:49.700]  I had a chance to help change it and I didn't.
[42:50.900 --> 42:52.980]  So how do we do this?
[42:52.980 --> 42:56.040]  One, as I've said before, security is a requirement,
[42:56.040 --> 42:59.020]  not a feature. It's the baseline for even having
[42:59.280 --> 43:01.100]  a minimal viable product.
[43:01.960 --> 43:04.060]  This is for startups who, you know,
[43:04.200 --> 43:07.060]  a lot of them currently say, we get something out the door and then
[43:07.060 --> 43:10.120]  security is added in v2. Nope, we don't allow that
[43:10.120 --> 43:13.080]  anymore. It's not just for those who pay or can wait,
[43:13.080 --> 43:14.160]  it's for everyone.
[43:16.100 --> 43:18.780]  Next, we are already explicit
[43:19.120 --> 43:21.860]  a lot of the time, or if we're not, we should be,
[43:21.860 --> 43:24.840]  about the threat models of who we're trying to protect and
[43:24.840 --> 43:28.060]  why we're suggesting the security features we are, the privacy
[43:28.060 --> 43:31.560]  constraints we are. So let's not only
[43:31.560 --> 43:34.380]  be explicit about who is helped,
[43:34.380 --> 43:37.340]  but let's be explicit about who is harmed, who could be
[43:37.340 --> 43:40.300]  adversely impacted by the threat model
[43:40.300 --> 43:43.280]  we've created. And the reasoning is, is not
[43:43.280 --> 43:46.360]  that everyone should be protected and helped in the same
[43:46.360 --> 43:49.080]  way for every product. It's that by
[43:49.080 --> 43:52.580]  naming problems, by saying, oh,
[43:52.580 --> 43:56.180]  this group of people would be harmed by this choice,
[43:56.180 --> 43:59.100]  we can at least start to brainstorm and come up with solutions
[43:59.100 --> 44:02.640]  and bring our creativity. But it's definitely impossible
[44:02.640 --> 44:05.320]  to try and come up with solutions if you've
[44:05.320 --> 44:07.720]  never even named it to be a problem.
[44:11.000 --> 44:11.880]  Three,
[44:11.880 --> 44:14.360]  you might be saying to me, Maddie, there's
[44:14.360 --> 44:17.440]  so many different groups and identities and things
[44:17.440 --> 44:20.460]  that are different. How am I supposed to keep all of them in my
[44:20.460 --> 44:23.100]  head and understand all of the impacts to everyone?
[44:23.100 --> 44:26.380]  And the cool thing is, is you don't have to, I don't have to,
[44:26.380 --> 44:28.700]  as long as we create teams
[44:28.700 --> 44:32.040]  that represent all of these different views and identities.
[44:32.040 --> 44:35.040]  And that team is inclusive, such that everyone
[44:35.040 --> 44:38.100]  can speak up and represent those experiences
[44:38.100 --> 44:40.860]  that they're bringing to the table. So,
[44:40.860 --> 44:43.980]  you don't have to ensure that you know
[44:43.980 --> 44:46.960]  how this is going to affect someone
[44:46.960 --> 44:49.700]  who's LGBT in Vietnam.
[44:49.700 --> 44:53.140]  If you have someone who's LGBT and someone from Vietnam,
[44:53.140 --> 44:55.520]  then they can also help represent.
[44:55.680 --> 44:58.120]  But it's even better if you hire for
[44:59.840 --> 45:01.940]  intersectionality. So if you hire that LGBT
[45:01.940 --> 45:04.860]  person from Vietnam, then you've definitely gotten their
[45:05.680 --> 45:08.280]  viewpoint across. And so,
[45:08.280 --> 45:11.120]  for a lot of people in our industry,
[45:11.120 --> 45:13.760]  when they say, hire for diversity, it's people
[45:13.760 --> 45:16.760]  who look like me. But the only thing I bring
[45:16.760 --> 45:19.720]  to the table that's different
[45:19.720 --> 45:22.560]  is generally those views about gender
[45:22.560 --> 45:25.800]  that aren't always represented here. But if you
[45:25.800 --> 45:28.880]  hire a black woman or an indigenous woman, then she
[45:28.880 --> 45:31.920]  will bring to the table both the
[45:32.960 --> 45:34.760]  effects on race
[45:34.760 --> 45:37.600]  as well as the effects of being a woman. So,
[45:37.600 --> 45:40.360]  it's just a great investment for you to hire for
[45:40.980 --> 45:42.100]  intersectionality.
[45:43.240 --> 45:44.600]  Four,
[45:45.580 --> 45:48.300]  write code and build products for the worst possible
[45:48.300 --> 45:51.060]  case that it could be used for. And I totally spelled
[45:51.060 --> 45:53.980]  right wrong here, but we're this far in it, so it's
[45:53.980 --> 45:56.100]  going to continue.
[45:56.900 --> 45:59.940]  So, we may build technologies and
[45:59.940 --> 46:02.060]  secure things for a specific
[46:02.980 --> 46:06.020]  cause that we believe is ethically good
[46:06.020 --> 46:09.420]  and okay and all these things. But we
[46:09.420 --> 46:13.060]  don't always know how things are going to be used in the future.
[46:13.180 --> 46:15.980]  So, from the get-go, we need to build our products
[46:15.980 --> 46:18.960]  and frame our security requirements for the worst
[46:18.960 --> 46:22.400]  case imaginable. Because again, the technology
[46:22.400 --> 46:25.300]  can be used to help or hurt. So, let's build in our
[46:25.300 --> 46:27.060]  values and ethics from the beginning.
[46:29.100 --> 46:31.780]  Lastly, if you're a little overwhelmed,
[46:31.780 --> 46:34.240]  welcome to the club. Yes, this is
[46:34.240 --> 46:37.400]  hard. But as Glennon Doyle says, we can do hard
[46:37.400 --> 46:40.140]  things. We won't be perfect.
[46:40.140 --> 46:43.620]  I'm far from perfect. But we have to keep learning
[46:43.620 --> 46:46.440]  and trying. You know, an example of this is
[46:46.440 --> 46:49.560]  that this talk has been very US-centric because
[46:49.560 --> 46:52.420]  that's where my background. And so, it would be really valuable
[46:52.420 --> 46:55.480]  to Khans and the community as a whole to also
[46:55.480 --> 46:58.320]  have similar talks that are coming from different
[46:58.320 --> 47:01.300]  perspectives that I can't and don't know how to
[47:01.300 --> 47:04.480]  accurately represent. And so, the key thing
[47:04.480 --> 47:07.540]  is that we don't need to reinvent the wheel.
[47:07.820 --> 47:10.460]  We just need to hire and pay the people that are
[47:10.460 --> 47:13.520]  already doing this work and asking us to listen to
[47:13.520 --> 47:17.020]  the effects that this technology can have on their communities.
[47:18.640 --> 47:22.060]  And so, if we do those things together,
[47:22.060 --> 47:24.520]  that can make it a lot less hard.
[47:24.700 --> 47:27.580]  Because I don't know how many people are watching this talk,
[47:27.580 --> 47:29.860]  but I know that there are probably thousands and thousands
[47:30.760 --> 47:33.300]  attending DEF CON as a whole. So, if
[47:33.300 --> 47:36.600]  every single one of us decided,
[47:36.600 --> 47:39.300]  okay, from here on out, I'm going to start speaking
[47:39.300 --> 47:41.940]  up and taking actions to question,
[47:41.940 --> 47:45.220]  can we do better in helping more people and not
[47:45.220 --> 47:48.420]  allowing others to be harmed? And that becomes the norm.
[47:48.460 --> 47:50.640]  Because one of the things that makes this hard is
[47:51.800 --> 47:54.340]  being alone and feeling like you're the only
[47:54.340 --> 47:57.380]  one who's worried about this and challenging the status
[47:57.380 --> 48:00.180]  quo. So, if we all do this together,
[48:00.180 --> 48:03.360]  then the norm is to speak up. The norm is to demand
[48:03.360 --> 48:06.680]  the fundamental right to security and privacy.
[48:06.920 --> 48:09.380]  We're all in this together, and that's how
[48:09.380 --> 48:12.380]  we can hopefully do it and make it less scary
[48:12.380 --> 48:15.420]  and less hard. And so, finally,
[48:15.420 --> 48:18.340]  to close this all up, as I've said
[48:18.340 --> 48:21.440]  before, there's no neutral. I really wish
[48:21.440 --> 48:24.420]  there was, because sometimes we're all just tired
[48:24.420 --> 48:27.540]  and exhausted, but there's not. And so, we need
[48:27.540 --> 48:30.420]  to own that, and we need to own that we have the power
[48:30.420 --> 48:34.060]  and privilege, and all of these users are relying on us.
[48:34.060 --> 48:36.720]  So, let's use these beautiful positions
[48:36.720 --> 48:40.020]  and fun work we get to do to fight that security,
[48:40.020 --> 48:42.480]  privacy, and safety is a right for all.
[48:42.940 --> 48:45.660]  And, you know, that's the world I want to live in.
[48:46.300 --> 48:48.380]  So, with that, thank you.
[48:48.960 --> 48:52.100]  And yeah, I'm staring at my webcam now. Okay, bye!
